This sample demonstrates how a server can be configured to accept a Spnego based negotiation from a browser while still being able to fall back to a form based authentication.
Using a user1 principal Section C.1, “Setup MIT Kerberos”, do a kerberos login
manually using credentials.
$ kinit user1 Password for [email protected]: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 10/03/15 17:18:45 11/03/15 03:18:45 krbtgt/[email protected] renew until 11/03/15 17:18:40
or using a keytab file.
$ kinit -kt user2.keytab user1 $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 10/03/15 17:25:03 11/03/15 03:25:03 krbtgt/[email protected] renew until 11/03/15 17:25:03
Run a server.
$ java -jar sec-server-spnego-form-auth-1.0.1.RELEASE.jar
Now you should be able to open your browser and let it do Spnego authentication with existing ticket.
![[Note]](images/note.png) | Note |
|---|---|
|
See Appendix E, Configure Browsers for Spnego Negotiation for more instructions for configuring browsers to use Spnego. |
server:
port: 8080
app:
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat.keytab